STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco ACI Layer 2 Switch Security Technical Implementation Guide

V-272029

CAT I (High)

The Cisco ACI layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.

Rule ID

SV-272029r1168259_rule

STIG

Cisco ACI Layer 2 Switch Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000778

Discussion

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. In ACI, VLANs are used for traffic segmentation and identification, but their primary function is for identifying traffic, not directly configuring the leaf switch ports.

Check Content

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant.

1. Navigate to  Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies.
2. Select the port profile that is used for host-facing access ports.
3. Within the port profile configuration, locate the 802.1x settings and verify 802.1x is and MAB are enabled.
4. Navigate to the Endpoints section.
5. Choose the leaf nodes that host the host-facing ports and verify the port profile is applied.

Verify the policy group is assigned to an interface: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}.

If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Fix Text

Enable 802.1X authentication on host-facing access ports in Cisco APIC and accommodate devices lacking 802.1X support, configure MAB (MAC Authentication Bypass). The following is an example.

1. Navigate to  Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies.
2. Select the port profile that is used for host-facing access ports.
3. Within the port profile configuration, locate the 802.1x settings and enable it.
4. Specify the 802.1x authentication parameters are set. 
5. Enable MAB and specify the MAC address range and relevant settings.
6. For Host Mode, select "Single Host".
7. The MAC Auth should be EAP_FALLBACK_MAB.
8. In the Failed-auth VLAN field, select the VLAN to deploy to if authentication failed.
9. In the Failed-auth EPG field, choose the tenant, application profile, or EPG to deploy to if authentication failed.
10. Go to the Endpoints section.
11. Choose the leaf nodes that host the host-facing ports.
12. Apply the configured port profile to the host-facing ports.

Apply the policy group to an interface: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}.